Skip to content

build(deps): bump actions/attest-build-provenance from 1 to 2 #1409

build(deps): bump actions/attest-build-provenance from 1 to 2

build(deps): bump actions/attest-build-provenance from 1 to 2 #1409

Workflow file for this run

name: Interoperability tests
on: [push, repository_dispatch]
jobs:
build-rage:
name: Build rage
runs-on: ubuntu-latest
steps:
- name: Create FiloSottile/age status
if: always() && github.event.action == 'age-interop-request'
run: |
curl -X POST https://api.github.com/repos/FiloSottile/age/statuses/${{ github.event.client_payload.sha }} \
-H 'Accept: application/vnd.github.everest-preview+json' \
-H 'Authorization: token ${{ secrets.AGE_STATUS_ACCESS_TOKEN }}' \
--data '{"state": "pending", "target_url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}", "description": "In progress", "context": "Interoperability tests / Build rage"}'
- uses: actions/checkout@v4
- name: cargo build
run: cargo build --release --features unstable
working-directory: ./rage
- uses: actions/upload-artifact@v4
with:
name: rage
path: |
target/release/rage
target/release/rage-keygen
- name: Update FiloSottile/age status with result
if: always() && github.event.action == 'age-interop-request'
run: |
curl -X POST https://api.github.com/repos/FiloSottile/age/statuses/${{ github.event.client_payload.sha }} \
-H 'Accept: application/vnd.github.everest-preview+json' \
-H 'Authorization: token ${{ secrets.AGE_STATUS_ACCESS_TOKEN }}' \
--data '{"state": "${{ job.status }}", "target_url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}", "description": "Finished", "context": "Interoperability tests / Build rage"}'
build-age:
name: Build age
runs-on: ubuntu-latest
steps:
- name: Create FiloSottile/age status
if: always() && github.event.action == 'age-interop-request'
run: |
curl -X POST https://api.github.com/repos/FiloSottile/age/statuses/${{ github.event.client_payload.sha }} \
-H 'Accept: application/vnd.github.everest-preview+json' \
-H 'Authorization: token ${{ secrets.AGE_STATUS_ACCESS_TOKEN }}' \
--data '{"state": "pending", "target_url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}", "description": "In progress", "context": "Interoperability tests / Build age"}'
- name: Set up Go 1.19
uses: actions/setup-go@v5
with:
go-version: 1.19
id: go
- name: Use specified FiloSottile/age commit
if: github.event.action == 'age-interop-request'
run: echo "AGE_REF=${{ github.event.client_payload.sha }}" >> $GITHUB_ENV
- name: Use FiloSottile/age current main
if: github.event.action != 'age-interop-request'
run: echo "AGE_REF=refs/heads/main" >> $GITHUB_ENV
- name: Check out FiloSottile/age
uses: actions/checkout@v4
with:
repository: FiloSottile/age
ref: ${{ env.AGE_REF }}
path: go-age/age
- name: go build
run: |
cd $GITHUB_WORKSPACE/go-age/age
go build filippo.io/age/cmd/age
go build filippo.io/age/cmd/age-keygen
- uses: actions/upload-artifact@v4
with:
name: age
path: |
go-age/age/age
go-age/age/age-keygen
- name: Update FiloSottile/age status with result
if: always() && github.event.action == 'age-interop-request'
run: |
curl -X POST https://api.github.com/repos/FiloSottile/age/statuses/${{ github.event.client_payload.sha }} \
-H 'Accept: application/vnd.github.everest-preview+json' \
-H 'Authorization: token ${{ secrets.AGE_STATUS_ACCESS_TOKEN }}' \
--data '{"state": "${{ job.status }}", "target_url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}", "description": "Finished", "context": "Interoperability tests / Build age"}'
test:
name: ${{ matrix.alice }} -> ${{ matrix.bob }} [${{ matrix.recipient }}]
runs-on: ubuntu-latest
needs: [build-rage, build-age]
strategy:
matrix:
alice: [rage, age]
bob: [rage, age]
recipient: [x25519, ssh-rsa, ssh-ed25519]
fail-fast: false
steps:
- name: Create FiloSottile/age status
if: always() && github.event.action == 'age-interop-request'
run: |
curl -X POST https://api.github.com/repos/FiloSottile/age/statuses/${{ github.event.client_payload.sha }} \
-H 'Accept: application/vnd.github.everest-preview+json' \
-H 'Authorization: token ${{ secrets.AGE_STATUS_ACCESS_TOKEN }}' \
--data '{"state": "pending", "target_url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}", "description": "In progress", "context": "Interoperability tests / ${{ matrix.alice }} -> ${{ matrix.bob }} [${{ matrix.recipient }}]"}'
# Download the binaries to test
- uses: actions/download-artifact@v4
with:
name: rage
- uses: actions/download-artifact@v4
with:
name: age
- run: chmod +x rage
- run: chmod +x rage-keygen
- run: chmod +x age
- run: chmod +x age-keygen
# Prepare the test environment
- name: Install dos2unix for simulating Windows files
run: sudo apt update && sudo apt install dos2unix
- name: Write (very not private) age X25519 key
if: matrix.recipient == 'x25519'
run: echo "AGE-SECRET-KEY-1TRYTV7PQS5XPUYSTAQZCD7DQCWC7Q77YJD7UVFJRMW4J82Q6930QS70MRX" >key.txt
- name: Save the corresponding age x25519 recipient
if: matrix.recipient == 'x25519'
run: echo "age1y8m84r6pwd4da5d45zzk03rlgv2xr7fn9px80suw3psrahul44ashl0usm" >key.txt.pub
- name: Set the corresponding age x25519 recipient
if: matrix.recipient == 'x25519'
run: echo "AGE_PUBKEY=-r age1y8m84r6pwd4da5d45zzk03rlgv2xr7fn9px80suw3psrahul44ashl0usm" >> $GITHUB_ENV
- name: Generate an ssh-rsa key
if: matrix.recipient == 'ssh-rsa'
run: ssh-keygen -t rsa -N "" -f key.txt
- name: Generate an ssh-ed25519 key
if: matrix.recipient == 'ssh-ed25519'
run: ssh-keygen -t ed25519 -N "" -f key.txt
- name: Set the corresponding SSH recipient
if: matrix.recipient == 'ssh-rsa' || matrix.recipient == 'ssh-ed25519'
run: echo "AGE_PUBKEY=-R key.txt.pub" >> $GITHUB_ENV
- name: Store key.txt in case we need it
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.alice }}_${{ matrix.bob }}_${{ matrix.recipient }}_key.txt
path: key.txt
# Tests!
- name: Encrypt to file
run: echo "Test string" | ./${{ matrix.alice }} -o test.age $AGE_PUBKEY
- name: Decrypt from file
run: ./${{ matrix.bob }} -d -i key.txt test.age | grep -q "^Test string$"
- name: Store test.age
uses: actions/upload-artifact@v4
if: failure()
with:
name: ${{ matrix.alice }}_${{ matrix.bob }}_${{ matrix.recipient }}_test.age
path: test.age
- name: Generate a file to encrypt
run: echo "2 test 2 string" > test2.txt
- name: Encrypt to ASCII-armored file
run: ./${{ matrix.alice }} -a -o test2.age $AGE_PUBKEY test2.txt
- name: Decrypt from ASCII-armored file
run: ./${{ matrix.bob }} -d -i key.txt test2.age | grep -q "^2 test 2 string$"
- name: Store test2.age
uses: actions/upload-artifact@v4
if: failure()
with:
name: ${{ matrix.alice }}_${{ matrix.bob }}_${{ matrix.recipient }}_test2.age
path: test2.age
- name: Convert file to CRLF
run: unix2dos test2.age
- name: Decrypt from ASCII-armored CRLF file
run: ./${{ matrix.bob }} -d -i key.txt test2.age | grep -q "^2 test 2 string$"
- name: Store CRLF-ed test2.age
uses: actions/upload-artifact@v4
if: failure()
with:
name: ${{ matrix.alice }}_${{ matrix.bob }}_${{ matrix.recipient }}_test2.age
path: test2.age
- name: Pipes!
run: echo "Test string 3 - ASCII Drift" | ./${{ matrix.alice }} $AGE_PUBKEY | tee --output-error=warn test3.age | ./${{ matrix.bob }} -d -i key.txt | grep -q "^Test string 3 - ASCII Drift$"
- name: Store test3.age
uses: actions/upload-artifact@v4
if: failure()
with:
name: ${{ matrix.alice }}_${{ matrix.bob }}_${{ matrix.recipient }}_test3.age
path: test3.age
- name: Explicit stdout during encryption
run: ./${{ matrix.alice }} -a -o - $AGE_PUBKEY test2.txt >test4.age
- name: Explicit stdin during decryption
run: cat test4.age | ./${{ matrix.bob }} -d -i key.txt - | grep -q "^2 test 2 string$"
- name: Store test4.age
uses: actions/upload-artifact@v4
if: failure()
with:
name: ${{ matrix.alice }}_${{ matrix.bob }}_${{ matrix.recipient }}_test4.age
path: test4.age
- name: Generate a file to encrypt
run: echo "Test 5" > test5.txt
- name: Encrypt to identity in a named pipe
run: ./${{ matrix.alice }} -e -i <(cat key.txt) -o test5.age test5.txt
- name: Decrypt with identity in a named pipe
run: ./${{ matrix.bob }} -d -i <(cat key.txt) test5.age | grep -q "^Test 5$"
- name: Store test5.age
uses: actions/upload-artifact@v4
if: failure()
with:
name: ${{ matrix.alice }}_${{ matrix.bob }}_${{ matrix.recipient }}_test5.age
path: test5.age
- name: Encrypt to recipient in standard input
run: cat key.txt.pub | ./${{ matrix.alice }} -e -R - -o test6.age test5.txt
- name: Decrypt with identity in standard input
run: cat key.txt | ./${{ matrix.bob }} -d -i - test6.age | grep -q "^Test 5$"
- name: Store test6.age
uses: actions/upload-artifact@v4
if: failure()
with:
name: ${{ matrix.alice }}_${{ matrix.bob }}_${{ matrix.recipient }}_test6.age
path: test6.age
- name: Keygen prevents overwriting an existing file
run: |
touch do_not_overwrite_key.txt
if $(./${{ matrix.alice }}-keygen -o do_not_overwrite_key.txt); then
false
else
true
fi
- name: Keygen supports conversion from stdin
run: ./${{ matrix.alice }}-keygen | ./${{ matrix.bob }}-keygen -y
- name: Keygen supports conversion from file
if: matrix.recipient == 'x25519'
run: ./${{ matrix.alice }}-keygen -y key.txt
- name: Update FiloSottile/age status with result
if: always() && github.event.action == 'age-interop-request'
run: |
curl -X POST https://api.github.com/repos/FiloSottile/age/statuses/${{ github.event.client_payload.sha }} \
-H 'Accept: application/vnd.github.everest-preview+json' \
-H 'Authorization: token ${{ secrets.AGE_STATUS_ACCESS_TOKEN }}' \
--data '{"state": "${{ job.status }}", "target_url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}", "description": "Finished", "context": "Interoperability tests / ${{ matrix.alice }} -> ${{ matrix.bob }} [${{ matrix.recipient }}]"}'